Discourse users archives leaked to users with moderation privileges

5.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.

Basic Information

ID CVE-2025-68666

Source GitHub_M

Published Jan 28, 2026 at 19:14

Modified Jan 28, 2026 at 20:20

Affected Product

Vendor discourse

Product discourse

Version < 3.5.4

Affected Versions discourse discourse < 3.5.4
discourse discourse >= 2025.11.0-latest, < 2025.11.2
discourse discourse >= 2025.12.0-latest, 2025.12.1
discourse discourse >= 2026.1.0-latest, < 2026.1.0

CWE Classification

CWE-863

References

github.com /discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv

{
    "lastseen": "",
    "description": "Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched.",
    "published": "2026-01-28T19:14:09.984Z",
    "modified": "2026-01-28T20:20:50.203Z",
    "type": "cve",
    "title": "Discourse users archives leaked to users with moderation privileges",
    "source": "GitHub_M",
    "references": "https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv",
    "id": "CVE-2025-68666",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "discourse discourse < 3.5.4\ndiscourse discourse >= 2025.11.0-latest, < 2025.11.2\ndiscourse discourse >= 2025.12.0-latest, 2025.12.1\ndiscourse discourse >= 2026.1.0-latest, < 2026.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "discourse",
    "version": "< 3.5.4",
    "vendor": "discourse",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Discourse users archives leaked to users with moderation privileges_CVE-2025-68666